In IT security, the mantra is you are only secure if the weakest link is secure. Additionally vulnerability researchers are looking for the most obscure vulnerabilities. The same cannot be said for ICS cyber security which goes to the heart of the lack of imagination of ICS cyber defenders compared to cyber attackers as well as the use of cyber to initiate physical damage. Neil Holloran, Ken Loparo, and myself held a session at the recent October 2017 ICS Cyber Security Conference on using cyber to manipulate physics and cause physical damage.
The cycling of reclosers to cause damage is very similar to the cycling of relays to cause an Aurora event. The cycling of electrical reclosers have caused major wildfires in California including the Santa Rosa fire and fires in Southern California as well as in at least two other states. As a result of the Santa Rosa fires, California State Senator Jerry Hill (D-San Mateo) has called on investigators to focus on reclosers which send pulses of electricity into lines where service becomes briefly interrupted, helping to prevent blackouts and outages when lines are not actually damaged. Hill points to a public hearing he held two years ago in which representatives from PG&E spoke alongside counterparts from California's other two utilities, San Diego Gas & Electric Co.(SDG&E) and Southern California Edison. According to the testimony of SDG&E’s David Geier on the San Diego Witch and Rice fires, SDG&E uses protection devices on all of its transmission lines to ensure that the electric system detects and responds to fault activity and isolates the faulted line similar to other electric utilities across the country. In that hearing the two Southern California companies said that they had a practice of blocking the reclosers from working during fire season, as the devices can be known to spark wildfires when a downed line is, for instance, in contact with a nearby tree or dry brush. At the time, PG&E defended its stance of not doing this because the reclosers improved reliability across the system, but the hearing appears to have led to a pilot program in which PG&E was experimenting with turning off some of the devices during fire season — and, in fact, some of the reclosers in the North Bay were part of this pilot program, but many were not.
In my book, Protecting Industrial Control Systems from Electronic Threats, I identified many electric distribution reclosers as being cyber-vulnerable because of Bluetooth connectivity. As one vendor claims: “They now have a Bluetooth connection for their new distribution recloser. If your line folks and/or engineers would like to sit in the truck on those rainy days checking on the recloser...” The ability to communicate by Bluetooth provides a potential doorway for cyber attackers to manipulate utilities recloser operation. This means that cyber attackers could bypass any safety feature settings that are installed and potentially use the operation of these reclosers to cause physical damage that could be financially devastating and/or affect human life. Since reclosers are often considered distribution equipment, they are out-of-scope for NERC CIP cyber security requirements. Additionally, the use of Bluetooth technology to cycle reclosers may not be detected with network monitoring.
There is a need to better understand the cyber vulnerabilities of physical equipment and to develop appropriate policies and procedures until technologies can catch up.
Joe Weiss